another look at some isogeny hardness assumptions - simon...

Another Look At Some Isogeny Hardness AssumptionsSimon-Phillipp Merz, Romy Minko, Christophe Petit

ECC 2019

3 December1 / 50

Motivation

Another Look at “Provable Security”

Neal KoblitzDept. of Mathematics, Box 354350

Univ. of Washington, Seattle, WA 98195 U.S.A.

[email protected]

Alfred J. MenezesDept. of Combinatorics & Optimization

Univ. of Waterloo, Waterloo, Ontario N2L 3G1 Canada

[email protected]

July 4, 2004§

Abstract

We give an informal analysis and critique of several typical “provablesecurity” results. In some cases there are intuitive but convincing argu-ments for rejecting the conclusions suggested by the formal terminologyand “proofs,” whereas in other cases the formalism seems to be consistentwith common sense. We discuss the reasons why the search for mathemat-ically convincing theoretical evidence to support the security of public-keysystems has been an important theme of researchers. But we argue thatthe theorem-proof paradigm of theoretical mathematics is often of limitedrelevance here and frequently leads to papers that are confusing and mis-leading. Because our paper is aimed at the general mathematical public,it is self-contained and as jargon-free as possible.

Key words. Cryptography, Public Key, Provable SecurityAMS subject classifications. 94A60, 68P25, 11T71

1 Introduction

Suppose that someone is using public-key cryptography to protect credit cardnumbers during online purchases, maintain confidentiality of medical records, orsafeguard national security information. How can she be sure that the systemis secure? What type of evidence could convince her that a malicious adversarycould not somehow break into the system and learn her secret?

At first glance it seems that this question has a straightforward answer. Atthe heart of any public-key cryptosystem is a “one-way function” — a function

§updated on July 16, 2004; October 25, 2004; March 31, 2005; and May 4, 2005

1

I Isogeny based cryptographyis becoming more popular.

I More protocols aredeveloped, and sometimestheir security does notreduce to existing problems.

I New ‘hard’ problems aretherefore proposed.

2 / 50

Outline

I (Very Brief) Introduction

I Reviewing Some Isogeny ProblemsI Undeniable Signature Schemes

I Jao-Soukharev (2014)I Srinath-Chandrasekaran (2018)

I Attack on the Computational Hardness Assumption

I Attack on the Signature Scheme

3 / 50

SIDH ProtocolParameters

I À, `B small distinct primes

I eA, eB positive integers

I p = èAA èBB f ± 1 , p prime

Fix a supersingular elliptic curve E defined over Fp2 and bases{PA,QA}, {PB ,QB} of the èAA and èBB torsions of E , respectively.Alice chooses 0 < mA, nA < èAA . Bob chooses 0 < mB , nB < èBB .

4 / 50

SIDH Protocol

Alice publishes EA, φA(PB), φA(QB).Bob publishes EB , φB(PA), φB(QA).

EA = E/〈[mA]PA + [nA]QA〉

E EAB

EB = E/〈[mB ]PB + [nB ]QB〉

φ′BφA

φB φ′A

5 / 50

Outline






6 / 50

Problem StatementsSupersingular Isogeny Computational Diffie-Hellman

Problem (SSCDH)

Given the curves E , EA, EB and the points φA(PB), φA(QB),φB(PA) and φB(QA), find the j-invariant of

EAB = E/〈[mA]PA + [nA]QA, [mB ]PB + [nB ]QB〉.

7 / 50

Problem StatementsModified SSCDH

Problem (Modified SSCDH)

Given E , EA, EB and ker(φB), determine EAB up to isomorphism,i.e. find j(EAB).

8 / 50

Problem StatementsOne-Sided Modified SSCDH

Signing Oracle

For fixed curves E ,EA,EB , let OB be an oracle that solvesMSSCDH for EA, EB′ , ker(φB′) such that EB′ is

I not isomorphic to EB , and

I `eBB -isogenous to E .

Problem (One-Sided MSSCDH)

For fixed E , EA, EB , given OB , solve MSSCDH for EA, EB andker(φB).

9 / 50

One-Sided Modified SSCDH

E

EA EB EB′

EAB

EAB′

φB′

φBφA

φ′B

φ′B′

φ′A

φ′′A

Target CurveOracle Output

10 / 50

Problem StatementsOne-More Modified SSCDH

Signing Oracle

For fixed curves E ,EA let OA be an oracle that solves MSSCDHfor EA, EBi

, ker(φBi) upon input of EBi

, `eBB -isogenous to E .

Problem (One-More MSSCDH)

After making q queries to OA produce at least q + 1 distinct pairsof curves (EBi

,EABi), where EABi

is the solution to MSSCDH forEA,EBi

and ker(φBi), and EBi

are `eBB -isogenous to E for1 ≤ i ≤ q + 1.

11 / 50

Outline






12 / 50

Undeniable Signature Schemes

I Σ = {KeyGen, Sign, Check, Sim, πcon, πdis}.I KeyGen generates (vk , sk), a verification and signing key-pair.I Sign(sk ,m) = σm.I Check((vk ,m, σ), sk) determines if σ is valid.I Sim(vk ,m) simulates a signature for m.I πcon, πdis are zero-knowledge interactive protocols.

13 / 50

Jao-Soukharev (2014)

I Let p be a prime of the form èAA èBB `

eCC · f ± 1.

I Fix a supersingular curve E over Fp2 ,

I Fix bases {Pi ,Qi} of the èii torsion of E for i ∈ {A,B,C}.I Let H : {0, 1}∗ → Z be a cryptographic hash function.

14 / 50

Jao-Soukharev (2014)

I Public Parameters: p,E ,H, {Pi ,Qi}i∈{A,B,C}.I Signer’s Secret Key: mA, nA ∈ Z/`eAA Z

(or φA : E → EA = E/〈[mA]PA + [nA]QA〉).

I Public Key: EA, φA(PC ), φA(QC )

15 / 50

Jao-Soukharev (2014)Signing

For message M:

I Compute EB = E/〈PB + [H(M)]QB〉.

E EA

EB EAB

φA

φB φAB

φBA

I Output σ = (EAB , φBA(φB(PC )), φBA(φB(QC ))).

16 / 50

Jao-Soukharev (2014)Confirmation/Disavowal

I The signer secretly chooses mC , nC ∈ Z/`CZ and computesSC = [mC ]PC + [nC ]QC .

EC EAC

EBC EABC

ϕCA

ϕCB ϕACB

ϕBCA

EC = E/⟨SC⟩, EBC = EB /⟨ϕB(SC)⟩EAC = EA/⟨ϕA(SC)⟩, EABC = EBC /⟨ϕCB([mA]PA + [nA]QA)⟩

17 / 50


I Given σ = {Eσ,Pσ,Qσ}, EσC = Eσ/〈[mc ]Pσ + [nC ]Qσ〉

Signer Verifier

Commit: com = EC ,EBC ,EAC ,EABC , ker(φCB)

com

b ←$ {0, 1}

b

if b = 0,X = ker(φC ).

if b = 1,X = ker(φCA).

X

Check EσC = EABC .18 / 50


I Given σ = {Eσ,Pσ,Qσ}, EσC = Eσ/〈[mc ]Pσ + [nC ]Qσ〉

19 / 50

Srinath-Chandrasekaran (2018)Undeniable Blind Signatures

E EA

EB EAB

EBD EBDA

φA

φB

φBD

φBDA

φ̂ABD

Figure: Signing (with blindness)

E EA

EB EAB

φA

φB φAB

φBA

Figure: Verification requires thatthe signature curve is in theisomorphism class of EAB .

20 / 50

Undeniable Signature Schemes

I Security Properties:I UndeniabilityI UnforgeabilityI Invisibility

21 / 50

Undeniable Signature SchemesSecurity Properties

Unforgeability

I The attacker has access to a signing oracle O.

I They can query the oracle polynomially many times witharbitrarily chosen messages mi .

I They must output valid (m, σ), where m 6= mi .

22 / 50

Undeniable Signature SchemesSecurity Properties

Invisibility

I The attacker has access to a signing oracle O.

I They can query the oracle polynomially many times witharbitrarily chosen messages mi .

I They then send mj 6= mi to a challenger.

I The challenger returns σc , either a simulated signature or avalid signature for mj .

I The attacker must decide if σc is valid.

23 / 50

Security ProofsJao-Soukharev

Proof of Unforgeability and Invisibility [1]

Given zero-knowledge confirmation and disavowal protocols,forging signatures is equivalent to OMSSCDH.

Invisibility requires that after a polynomial number of queries tothe signing oracle, an adversary cannot determine the validity of asignature. This problem is equivalent to OMSSCDH.

[1] David Jao and Vladimir Soukharev. Isogeny-based quantum-resistant undeniablesignatures. InInternationalWorkshop on Post-Quantum Cryptography, pages 160–179. Springer, 2014.

24 / 50

Outline






25 / 50

An attack against OMSSCDH

Problem (OMSSCDH)

For fixed E , EA, EB , given an oracle, O, to solve MSSCDH for EA,EB′ , ker(φB′) with EB′ not isomorphic to EB and `eBB -isogenous toE , solve MSSCDH for EA, EB and ker(φB).

E

EA EB EB′

EAB

EAB′

φB′

φBφA

φ′B

φ′B′

φ′A

φ′′A

26 / 50


Theorem

A solution to the OMSSCDH problem can be guessed withprobability 1

(`B+1)`Bafter a single query to the signing oracle.

27 / 50


Suppose we want to solve OMSSCDH given E ,EA, EB andker(φB).

E ◦ ◦ EB ◦

EA ◦ ◦ EAB ◦

28 / 50


Suppose we want to solve OMSSCDH given E ,EA, EB andker(φB).

I Take EB1 , EB2 , `B -isogenous to EB .

I Query O with EB1 and EB2 , to get EAB1 and EAB2 .

I List the `B + 1 isomorphism classes of EAB1 and EAB2 ,`B -isogenous to EAB .

I The intersection of these lists is the isomorphism class of EAB .

29 / 50


E ◦ ◦ EB

EB′

EA ◦ ◦ EAB

EAB′

Querying O with EB′ close to EB yields a curve close to EAB , thetarget.

30 / 50


We can do better.

I Use ker(φB) to find EB′ , `2B -isogenous to EB and

`eBB -isogenous to E .

I Submit EB′ to O to receive EAB′ .

I Guess the isomorphism class of EAB with success probabilityof 1

(`B+1)`B.

This only uses one query to the oracle.

31 / 50

An attack against 1MSSCDH

Problem (One-More MSSCDH)

After making q queries to O produce at least q + 1 distinct pairsof curves (EBi

,EABi), where EABi

is the solution to MSSCDH forEA,EBi

and ker(φBi), EBi

are `eBB -isogenous to E and EABiis

isomorphic to EAB for 1 ≤ i ≤ q + 1.

32 / 50

An attack against 1MSSCDH

Theorem

A solution to the 1MSSCDH problem can be guessed withprobability 1

(`B+1)`Bafter a single query to the signing oracle.

33 / 50

Outline






34 / 50


Proof of Unforgeability and Invisibility [1]

Given zero-knowledge confirmation and disavowal protocols,forging signatures is equivalent to OMSSCDH.

Invisibility requires that after a polynomial number of queries tothe signing oracle, an adversary cannot determine the validity of asignature. This problem is equivalent to OMSSCDH.

[1] David Jao and Vladimir Soukharev. Isogeny-based quantum-resistant undeniablesignatures. InInternationalWorkshop on Post-Quantum Cryptography, pages 160–179. Springer, 2014.

35 / 50


But...

I Messages curves are computed via the hash function H.

I The adversary can only query the oracle with messages.

I Forging messages seems therefore harder than solvingOMSSCDH.

36 / 50

Attack on the Signature Scheme

Let M be the message for which we wish to forge a signature.

Lemma

Let E be a supersingular elliptic curve, let ` be a prime, let e be aninteger, and let {P,Q} be a basis for E [`e ]. Let α, β < `e bepositive integers congruent modulo `k for some integer k < e.Then the `-isogeny paths from E to Eα = E/〈P + [α]Q〉 andEβ = E/〈P + [β]Q〉 are equal up to the k-th step.

37 / 50


E ◦ ◦ EB

EB′

EA ◦ ◦ EAB

EAB′

Aim: use the lemma to extend this idea to EB′ further from EB .

38 / 50


EA EAB′

EAB

φ1 φ2

φeB′

φeB

39 / 50

Attack on the Signature SchemeFinding ψ

EA EAB′

EAB

φ1 φ2

ψB′ , deg(ψB′) = `kB

ψB , deg(ψB) = `kB

φeB′

φeB

I ψ = ψB ◦ ψ̂B′ .

I The probability of correctly identifying ψ with a single guess is1

(`B+1)`2k−1B

.

40 / 50

Attack on the Signature SchemeValidity of σ

Assume: ψ (and hence, EAB) has been guessed correctly.Let honest σ = (EAB ,P,Q), forgery σF = (EAB ,PF ,QF ).Oracle: σ′ = (EAB′ ,P

′ = φB′A(φB′(PC )),Q ′ = φB′A(φB′(QC ))).

I For confirmation/disavowal:I EσC = E/〈[mc ]PF + [nc ]QF 〉I EABC = 〈[mc ]P + [nc ]Q〉

41 / 50


Assume: ψ (and hence, EAB) has been guessed correctly.Let honest σ = (EAB ,P,Q), forgery σF = (EAB ,PF ,QF ).Oracle: σ′ = (EAB′ ,P

′ = φB′A(φB′(PC )),Q ′ = φB′A(φB′(QC ))).

I ψ takes a point on EAB′ to a point on EAB .

I ψ(P ′) = ψ(φB′A(φB′(PC ))) = ψ(φAB′(φA(PC ))) ∈ EAB [`eCC ].

42 / 50


EA EAB′

EAB

φ1 φ2

ψ̂B′ = φ̂eB−k ◦ · · · ◦ φ̂e′B

φeB′

φeB

I φAB′ : EA → EAB′ .

I ψ̂B′ ◦ φAB′ = [`kB ]φeB−k−1 ◦ · · · ◦ φ1.

43 / 50


I Find M ′ such that H(M) and H(M ′) differ by a large power of`B .

I Submit M ′ to the signing oracle, to receiveσ′ = (EAB′ ,P

′,Q ′).

I Guess the `2kB -isogeny ψ : EAB′ → EAB where EAB is theunknown curve corresponding to M.

I Find s such that s`kB ≡ 1 mod `eCC .

I Compute {[s] · ψ(P ′), [s] · ψ(Q ′)}.I Output σF = (EAB , [s] · ψ(P ′), [s] · ψ(Q ′)).

44 / 50


Theorem (Validity of σ)

Let M,M ′, s, ψ,P ′ and Q ′ are defined as in the attack. LetσF = (EAB , [s] · ψ(P ′), [s] · ψ(Q ′)) be the output of our attack.Assuming EAB is guess correctly, σF is a valid signature for M.

45 / 50

Attack on the Signature SchemeAttack Cost

Let λ be our security parameter.Classical security: Take 2L = 22λ.Quantum security: Take 2L = 23λ.

Previous Expected Cost: 2λ.

46 / 50


Classical Cost

Near collision of L1 bits:

2L1/2

Pr[EAB guessed correctly]:

2−2(L−L1)

Take L1 = 4L5 . Then, total cost:

22L/5

Quantum Cost

Near collision of L1 bits:

2L1/3

Pr[EAB guessed correctly]:

2−2(L−L1)

Take L1 = 6L7 . Then, total cost:

22L/7

47 / 50


I Unforgeability is broken.

I For the same level of security, must increase parameters by25% for classical security (17% for quantum security).

I The attack implies invisibility is broken.

48 / 50

Conclusion

The OMSSCDH Problem and the 1MSSCDH Problem are solvablein polynomial time (with a single query!).

We have an attack to break the unforgeability and invisibilityproperties of two undeniable signature schemes:

1. Jao-Soukharev, 2014 [1]

2. Srinath-Chandrasekaran, 2018 [2]

[1] D Jao and V Soukharev. Isogeny-based quantum-resistant Undeniable Signatures. In International Workshop onPost-Quantum Cryptography, pages 160–179. Springer, 2014.[2] M Seshadri Srinath and V Chandrasekaran. Isogeny-based Quantum-resistant Undeniable Blind SignatureScheme. International Journal of Network Security,20(1):9–18, 2018

49 / 50

Thank you for listening!

You can read more at: https://eprint.iacr.org/2019/950

50 / 50

another look at some isogeny hardness assumptions - simon...

Documents